Cybersecurity Application Security Engineer

Position Overview

Nelnet is a diversified and innovative company committed to enriching lives through the power of service as a student loan servicer, professional services company, consumer loan originator and servicer, payments processor, renewable energy solutions provider, and K-12 and higher education expert. For over 40 years, Nelnet has been serving its customers, associates, and communities. The perks of working at Nelnet go beyond our benefits package; when you join the team, you become part of a community dedicated to each individual’s success.

We are seeking a highly skilled Application Security Engineer with strong experience in secure code review, penetration testing, automation, and modern SDLC practices—including emerging AI/LLM security. In this role, you will collaborate with engineering, cloud, and product teams to safeguard our applications, services, and AI-driven components from design through production. This position combines hands-on technical testing with scalable automation and developer enablement to mature our AppSec program and ensure secure, resilient applications at speed.

Salary: $90,000-$125,000 annually. Schedule: Hybrid (3 days in-office, 2 days remote). Location: United States – candidates must be authorized to work without visa sponsorship.

Key Responsibilities

• Manual Source Code Review
• SAST/DAST scanning
• Expand the Security Champions program
• Develop automated source code review processes
• Work with product teams to ensure secure SDLC processes are in place
• Provide detailed vulnerability reports to business units

Required Qualifications

• 2–4 years of hands-on application security experience
• Experience integrating security tooling and automated checks into CI/CD pipelines
• Familiarity with OWASP Top 10 and web testing methodologies
• Proven ability to assess and communicate risks and urgency to management and engineering teams
• Experience with technical report writing and effective communication
• Strong manual code review experience in at least one major language (Java, JavaScript/TypeScript, C#, PHP, etc.)
• Solid threat-modeling expertise (STRIDE, attack trees, misuse cases) for both traditional systems and AI/LLM-integrated features
• Proficiency with SAST, SCA, DAST, web and mobile pentesting, container scanners, secrets-detection tools, and ideally AI-security scanning platforms
• Scripting/automation skills (Python, Bash, Node) for building custom tooling and automating processes
• Good understanding of AI/LLM attack surfaces including prompt injection, insecure output handling, model-data leakage, and RAG vulnerabilities
• Strong knowledge of web/API security concepts (session management, secure storage, transport security)
• Excellent organizational, presentation, verbal, and written communication skills
• Aptitude for self-study, setting, and achieving long-term goals
• Ability to adapt to changing technology and business landscapes while challenging prevailing assumptions when appropriate
• Ability to tailor communications to different audiences and information-sharing needs

Preferred Qualifications

• Experience performing secure code reviews or building internal developer tooling
• Previous work with AI or LLM-integrated applications, including model security or prompt safety
• Experience with mobile security, reverse engineering, or platform-specific secure coding
• Certifications such as OSWE, OSCP, GWAPT, GCSA, GCPN, or ML security credentials (beneficial but not required)
• Ability to mentor junior developers/engineers in secure design and coding practices

Benefits & Perks

• Medical, Dental, and Vision coverage
• HSA and FSA options
• Generous earned time off
• 401K and student loan repayment
• Life insurance & AD&D insurance
• Employee Assistance Program
• Employee Stock Purchase Program
• Tuition reimbursement
• Performance-based incentive pay
• Short- and long-term disability coverage
• Robust wellness program